Jamf Log Stream

Learn about ingesting data from the Jamf Log Stream service.

Overview

The Jamf Log Stream is a feature available only to customers of the Jamf Cloud Premium offering. The Jamf Log Stream makes data from the Change Management and Access logs available for consumption via Splunk, Amazon S3 or an HTTPS endpoint. Additional information regarding the configuration of your endpoint to receive these log files can be found here.

Log Details

To assist third parties with ingesting information provided by Jamf, this article provides sample data, as well as general formatting of data provided in these logs.

Access Log

The Access Log tracks login attempts to Jamf Pro, including the date, username, IP address and entry point. Below you can find a snippet pulled directly from the Access Log to demonstrate the format of the data.

2021-09-09T08:44:00,679: username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=Universal API
2021-09-09T08:44:01,121: username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=JSS
2021-09-09T11:56:01,012: username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=JSS (API)
2021-09-28T13:51:35,768: username=sampleUser, status=Failed Login, ipAddress=10.1.1.1, entryPoint=JSS

It is worth noting that an entryPoint value of "Universal API" corresponds with the Jamf Pro API, a value of "JSS (API)" corresponds with the Classic API and "JSS" refers simply to the Jamf Pro web application user interface. Furthermore, the Jamf Pro user interface leverages the Jamf Pro API for many features, including login workflows, therefore it should be expected to find entries for both entryPoint when authenticating to the user interface.

📘

Notice

Beginning in Jamf Pro version 10.35.0, individual requests to the Classic API using bearer token authentication no longer log entries to the access log. Requests to obtain the bearer token continue to be logged and identified by the "Universal API" entry point, regardless of which API the token is subsequently used with.

Change Management Log

The Change Management log tracks Create, Read, Update and Delete operations made to the Jamf Pro environment. The data output to this log has a high degree of variability, based on the object type that's being interacted with. Below you can find a snippet that has been modified to demonstrate the standard data format of a log entry.

[username (ID: #)] [OPERATION] [Resource] [Date]

Below is a snippet pulled directly from the Change Management log which further demonstrates the data format using actual values. Many log entries include additional information related to the resource that was accessed, which is further demonstrated below.

[Jamf Pro System (ID: -1)] [READ] [Device Communication Settings] [2021-08-27T08:03:33.332-0500]
    Computers - when the built-in CA is renewed         true
    Computers - when the MDM profile expires .......... true
    Computers - days before the MDM profile expires     180
    Devices - when the built-in CA is renewed ......... true
    Devices - when the MDM profile expires              true
    Devices - days before the MDM profile expires ..... 180
  
[jssadmin (ID: 1)] [DELETE] [Computer] [2021-09-09T08:48:43.115-0500]
    ID             113
    Name ......... Lauras MacBook Pro
  
[jssadmin (ID: 1)] [UPDATE] [User] [2021-09-28T14:23:31.983-0500]
UNKNOWN
[jssadmin (ID: 1)] [READ] [Computer] [2021-09-28T14:26:37.524-0500]
    ID             3
    Name ......... Alishia's MacBook Air

Additional Information

  • Changes initiated by Jamf Pro are identified by the "Jamf Pro System" user with an ID value of -1.
  • Additional information about the resource may be included below each log entry.
  • The format of additional information for a resource is unique to each resource type.
  • The format and type of additional information associated with a specific resource type is subject to change without notice.

Sync Frequency

Logs are synchronized every 5 minutes or when the log size reaches 5MB, whichever occurs first. Most environments do not experience enough traffic to require syncs to occur more than every 5 minutes.

File Formats

Log files are sent to the specified endpoint in an uncompressed GZIP format.